Bug 31157

Summary: krb5 new security issue CVE-2022-42898
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, guillomovitch, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: krb5-1.19.2-5.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 29260    

Description David Walser 2022-11-20 18:00:18 CET 
Debian has issued an advisory on November 19:
https://www.debian.org/security/2022/dsa-5286

The issue is fixed upstream in krb5 1.19.4 and heimdal 7.7.1:
https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c

Mageia 8 is also affected.
David Walser 2022-11-20 18:00:39 CET

Blocks: (none) => 29260
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in krb5 1.19.4 and heimdal 7.7.1

Comment 1 Lewis Smith 2022-11-21 11:06:45 CET 
guillomovitch does both these packages, so assigning to you.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2022-11-21 22:52:38 CET 
openSUSE has issued an advisory for krb5 today (November 21):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6I6MV4DA2O6D7LCUS6WJQRCLT5N3QXGX/
Comment 3 David Walser 2022-11-22 14:33:16 CET 
Fedora has issued an advisory for krb5 today (November 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KNFBR437JQZXMPIT2AJCTGKUTQAFEMBY/

Severity: major => critical

David Walser 2022-11-23 20:31:22 CET

Blocks: (none) => 31172

Comment 4 David Walser 2022-11-23 20:32:34 CET 
heimdal moved to Bug 31172.

Status comment: Fixed upstream in krb5 1.19.4 and heimdal 7.7.1 => Fixed upstream in 1.19.4
Source RPM: krb5-1.19.2-5.mga9.src.rpm, heimdal-7.7.0-10.mga9.src.rpm => krb5-1.19.2-5.mga9.src.rpm
Summary: krb5, heimdal new security issue CVE-2022-42898 => krb5 new security issue CVE-2022-42898

David Walser 2022-11-26 22:23:01 CET

Blocks: 31172 => (none)

Comment 5 Guillaume Rousse 2022-11-27 14:06:02 CET 
Fixed by following submissions:
- krb5-1.19.2-6.mga9 in cauldron
- krb5-1.18.3-1.3.mga8 in 8/updates_testing
Comment 6 David Walser 2022-11-28 04:54:35 CET 
krb5-workstation-1.18.3-1.3.mga8
libkrb53-1.18.3-1.3.mga8
krb5-server-1.18.3-1.3.mga8
libkrb53-devel-1.18.3-1.3.mga8
krb5-server-ldap-1.18.3-1.3.mga8
krb5-1.18.3-1.3.mga8
krb5-pkinit-1.18.3-1.3.mga8

from krb5-1.18.3-1.3.mga8.src.rpm


Note that this update won't solve the issue Dave pointed out in Bug 29260 (but it does fix the CVEs there) but that's not a regression and this CVE is a serious issue in the library, so this needs to be pushed.

Version: Cauldron => 8
CC: (none) => guillomovitch
Status comment: Fixed upstream in 1.19.4 => (none)
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 7 Herman Viaene 2022-12-17 11:21:01 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tried to follow the wiki and my own bug 24068 Comment 4

All seems to work OK, but found same issue as in bug 29260 for krlogin.
On Davids remark then OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2022-12-17 17:04:25 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-17 17:56:04 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2022-12-17 19:49:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0467.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED